spaze / oprah-proxy Goto Github PK

View Code? Open in Web Editor NEW

254.0 22.0 54.0 71 KB

Generate credentials for Opera's "browser VPN"

License: MIT License

Python 98.94% JavaScript 1.06%

opera opera-vpn vpn proxy-server browser-vpn proxies credentials oprah-proxy python

oprah-proxy's Introduction

The Oprah Proxy

Generate credentials for Opera's "browser VPN"

This tool is DEPRECATED, we've learned news things but that's it. If you need anonymity just use Tor.

Opera "VPN" introduced in Opera 38 Developer Edition is not a VPN, it's actually a proxy for the browser only, but it's free and unlimited so why not use it for some other apps, too. There's also Opera VPN for iOS and Opera VPN for Android, both are real VPN. This here is about the browser one.

Not affiliated with Opera Software AS.

Usage

oprahProxy.py <client_type> <client_key>

The script will generate credentials for you and list available proxies so you can use them elsewhere. oprahProxy.py can also be used as a Python module in your own application. Unfortunately I've had no success using any of these proxies as a proxy for curl for example. But it works with OpenSSL's s_client tool and the script will also print the required command for you.

Requirements

Python 3 & Requests. The API server works only with clients with Server Name Indication (SNI) support. Python 3 and Python 2.7.9+ include native support for SNI in their TLS modules. I was too lazy to build a version check, so I went with Python 3.

Technical details

The proxy is a secure one, which means the browser talks to the proxy server via HTTPS even if it loads a plain HTTP site. Hostname resolution (DNS) is also done remotely on the proxy server, so the browser does not leak hostnames when using this proxy. Currently, Opera leaks IP address via WebRTC and plugins, but Opera Software is aware of it and plans to fix it in a future release.

For more technical details, including HTTP API calls, see my technical write-up.

A message to Opera

Opera insists to call this a browser VPN. Sorry Opera, it's not a VPN, and calling it a browser VPN does not make it one. A VPN protects all connections and not just the browser ones. We've been teaching people that VPN protects their devices and operating systems and then you bake a proxy, although a secure one, in the browser and call it a VPN, that's bullshit, pardon my French. The feature is quite nice, but calling it a VPN could eventually be harmful to privacy, because of false sense of security. And then you release Opera VPN which is a VPN, unlike the VPN in the browser. Naming things, one of the only two hard things in Computer Science, right?

Disclaimer

This is just for research purposes, to study how things work, no harm intended. The script might (and will) stop working at any time.

Example `openssl s_client` command:

URL="http://www.opera.com" PROXY=159.203.42.222:443 HEADER="Proxy-Authorization: Basic MURBNTY1NDRFMkQ4NUZEMTgxRDY2OUUxNzM1ODg1MjI3QTRFQUNGQzpGQTI3NzIyMzhEMzg2MzlDMzYzQjk0RTA2MDc3NUIzNzMyNkIyQUEzQTM3OEVBNTdCOEVGQTUxQ0EzMjg0Qjc5"; echo -e "GET $URL HTTP/1.0\n$HEADER\n\n" | openssl s_client -connect $PROXY -ign_eof

Where

URL is a URL you want to load, change it to fit your needs
PROXY is a proxy from the list (the one in the example is the first listed proxy with port 443), change it if you want
HEADER is a Proxy-Authorization HTTP header using generated credentials, no need to change this

Usage with other browsers

You can use Opera's proxies with other browsers via proxy auto-config using the provided pac.js file. In Firefox go to Options → Advanced → Network → Connection → Settings and use https://raw.githubusercontent.com/spaze/oprah-proxy/master/pac.js as Automatic proxy configuration URL. Be aware that your browser traffic will go through the proxy server specified in the PAC file and theoretically I could change it so that the traffic goes via my own server instead. Although I'm not willing to do that, I might be forced to. Use just for testing, at your own risk.

When asked, use the credentials provided by oprahProxy.py script. The PAC file uses hardcoded location (DE), if you want to use other location just download the file, change the hostname (available hostnames are {ca,de,us}.opera-proxy.net), change your browser configuration, and you should be ready to go. Please note that Opera uses different, numbered hostnames when connecting to proxies (e.g. de0.opera-proxy.net) but these don't resolve outside of Opera. There's a certain overlap of IPs for de.opera-proxy.net and de0.opera-proxy.net so my guess is they use the same hosts with just different hostnames.

oprah-proxy's People

Contributors

Stargazers

Watchers

oprah-proxy's Issues

Broken again

Once again, they've broken the request syntax.

If anyone still maintains this project, please find a minute to fix it. :)

2017-04-18 28:63:55,625 DEBUG Geo list fetched
2017-04-18 28:63:55,633 DEBUG Call discover CA
2017-04-18 28:63:56,790 DEBUG "POST /v2/discover HTTP/1.1" 200 None
2017-04-18 28:63:56,801 DEBUG ERROR: Invalid client.

I tried to use the .pac file under MacOS or iOS and it will not ask for credential

Hi, I used the .pac file created by myself (try using both the domain and the ip address directly) under MacOS or iOS. There will be no pop up for credential, instead there is just no internet access.

Changed again

Yep, resistance is useless, but they keep on trying.

2017-05-27 09:27:38,345 DEBUG "POST /v2/register_subscriber HTTP/1.1" 200 None
2017-05-27 09:27:38,348 DEBUG ERROR: Unknown or invalid client type/product code provided.

Is there any fresh fix for that? Muchos gracias!

Not a VPN? Really?

Thanks for creating this script, man!

Can you elaborate on the following: to test your statement that OperaVPN is just a proxy, I ran a quick and dirty gimmick:

Ipad (Jailbroken 8.3)
Kali Linux
Ettercap, Wireshark.

Did MITM ARP poison on Kali and routed Ipad's traffic to it.

VPN ON:
All visible traffic is between the vpn gate in Germany and ipad's local ip. No other SRC or DST ip's.
Not even dns queries. Launched browsers, messengers, different apps.

VPN OFF:
Direct connections to hundreds of ip's, dns queries to apple servers, TLS etc.
Just as expected.

When VPN is on, a new interface is up:

utun0: flags=8051<UP,POINTOPOINT,RUNNING,MULTICAST> mtu 1280
inet 10.251.17.218 --> 10.251.17.218 netmask 0xffffffff

From what I see, it talks via ESP (Encapsulating Security Payload) which I'm not familiar with, but I reckon its part of IPSec family?

So please cure my ignorance, what I did wrong? Thanks!

The s_client example does not work with HTTPS sites

As mentioned in several places (like #3 and this tweet), the openssl s_client example does not work with HTTPS. That's correct and I should do something about it.

The thing is, when connecting to an HTTPS site the proxy needs CONNECT https://httpbin.org/ip HTTP/1.0 instead of GET https://httpbin.org/ip HTTP/1.0 and then expects a full TLS stream. I don't know if this can be achieved with just openssl s_client, maybe not.

I should update the docs that the s_client example is just for HTTP, not HTTPS.
See if it can be done with proxychains or custom client built in Python, like the one in #3

Unknown or invalid client type/product code provided

~ python3 Downloads/oprah-proxy-master/oprahProxy.py 
2017-06-14 13:39:53,631 DEBUG    ++++++++++++++++++++++++++=======================~~~~~~~::::
2017-06-14 13:39:53,632 DEBUG    ,..,,,.,,...,,,.,,,,,,,,,,............,.....,.,,::::~~======
2017-06-14 13:39:53,632 DEBUG    ,,,,,:,,,,,,,,,,,,,,                    ,.,,,,,,,,,,,,,....~
2017-06-14 13:39:53,632 DEBUG    ~~~~~~~:::::::::::::  YOU GET A PROXY!  ,,,,,,,,,,,,,,,,,:~=
2017-06-14 13:39:53,632 DEBUG    ~~===~~~~::::::::::.                    ,,,,,,,,,,,,,,,~~~:~
2017-06-14 13:39:53,632 DEBUG    ::~:::::::::::::::,,...,~=::~=~:.....,,,,,,,,,,,,,,,:~:~:,::
2017-06-14 13:39:53,632 DEBUG    ??+=..,++++++++++=.....:===I+~=~....,,~~=~~~~~~~:~====~,,::~
2017-06-14 13:39:53,632 DEBUG    ::~....,...............~=~~~~:=~,...,.~~~======~==++=~:====+
2017-06-14 13:39:53,633 DEBUG    ::~...,:,,,,,,,,.......:==~+=:~:,.....,,,,,,,~~~====~,,,,,,,
2017-06-14 13:39:53,633 DEBUG    :::~~~:,::,,::::,......+~~===~:,.....,,,,,,~~~~~==~,,,,....,
2017-06-14 13:39:53,633 DEBUG    ~:~:,,,,,:::::,..........~~::~,:....:~~~~~::::~:::::,,,,,,,,
2017-06-14 13:39:53,633 DEBUG    ~...~~~,,::~~::~:........~~~:~::.:,,:~::::::::::::::::::::::
2017-06-14 13:39:53,633 DEBUG    +..???+?~,::::::::::::~:~::~~~:~::::::::::::::::~~=~~~~~~~~=
2017-06-14 13:39:53,633 DEBUG    ...?????+?,.:::::::::::~~:~~::~:::::::::::::::,~++++++++++++
2017-06-14 13:39:53,633 DEBUG    ?=??????+??~,::::::::~~~~~~~~~~::::::::::::::,=+++++++++++++
2017-06-14 13:39:53,633 DEBUG    ????????????::::::,::~~~~~~~~~~:::::::::::::,+++++++++++++++
2017-06-14 13:39:53,633 DEBUG    ??+??????????:,,::,:::~~~~~~~:::::::::::::,+++++++++++++++++
2017-06-14 13:39:53,633 DEBUG    ??????????????+,,,,:::~~,~~~~~:::=,:::::,?+?++++++++++++++++
2017-06-14 13:39:53,633 DEBUG    ????????????????+,:::~~:,~~~~~~~~:~::::=+??+?++?++++++++++++
2017-06-14 13:39:53,634 DEBUG    ??????????????????:::~~~~~~~~~~~:::::::???????++++++++++++++
2017-06-14 13:39:53,634 DEBUG    ??????????????????=:::~~~~~~~~~::::::::+??????+++++?+?++++++
2017-06-14 13:39:53,634 DEBUG    =+==+====++++++++==:::~:,~~~~~:::,::::~====~~::::,,...,:~~=+
2017-06-14 13:39:53,634 DEBUG    ++++++++++++===++++::~:~~~~~~::::~::::=+++++++++++++========
2017-06-14 13:39:53,634 DEBUG    =====+++++=====++++:~:~~~~~~::::::::::~++===================
2017-06-14 13:39:53,634 DEBUG    +++==+======+++                           ==================
2017-06-14 13:39:53,634 DEBUG    ~~~~==========~  EVERYBODY GETS A PROXY!  ~~~~~~~~~~~~~~~~~~
2017-06-14 13:39:53,634 DEBUG    ~~~~~~~~~~~===~                           ~~~~~~~~~~~~~~~~~~
2017-06-14 13:39:53,634 DEBUG    =============++===:::::::::::::::::::::~~~~~~~~~~~~~~~~~~~:~
2017-06-14 13:39:53,634 DEBUG    https://github.com/spaze/oprah-proxy :::==~=~~~~~~~~=~~~~~~~
2017-06-14 13:39:53,635 DEBUG    Call register_subscriber
2017-06-14 13:39:53,635 DEBUG    Your SurfEasy email: ed0ecd02-1c74-4a1c-a54a-b126570204f4@<put client type here>.surfeasy.vpn
2017-06-14 13:39:53,635 DEBUG    Your SurfEasy password: 2e6abc52-da89-4d75-aabb-708111617647
2017-06-14 13:39:53,635 DEBUG    Your SurfEasy password hash: 2DDA99C2E100C54FC2C51C2177B9886C73F8E7C4
2017-06-14 13:39:53,635 DEBUG    These are not the credentials you are looking for (you won't probably need these, ever)
2017-06-14 13:39:53,640 DEBUG    Starting new HTTPS connection (1): api.surfeasy.com
2017-06-14 13:39:54,805 DEBUG    https://api.surfeasy.com:443 "POST /v2/register_subscriber HTTP/1.1" 200 None
2017-06-14 13:39:54,806 DEBUG    ERROR: Unknown or invalid client type/product code provided.

Mitmproxy vs Opera

Trying to analyze their handshake. Had set up mitmproxy, added a trusted CA.
Firefox works fine. Opera w/o vpn works fine.
But when trying to connect to vpn, mitmproxy says:

The client may not trust the proxy's certificate for api.surfeasy.com.

I suspect they're using cert pinning of some sort? Any ideas?

not working: no proxy auth window in browsers

for some reason it doesn't work.
although script shows me correct credentials such as:

https://api.surfeasy.com:443 "POST /v2/discover HTTP/1.1" 200 None
2017-05-08 00:20:59,564 INFO Your location is RU/71
2017-05-08 00:20:59,564 INFO Proxy in NL/0 185.137.17.99:443
2017-05-08 00:20:59,564 INFO Proxy in NL/0 185.137.18.106:80
2017-05-08 00:20:59,564 INFO Proxy in NL/0 185.137.18.182:8181
2017-05-08 00:20:59,564 INFO Proxy in NL/0 185.137.18.120:22
2017-05-08 00:20:59,565 INFO Proxy in NL/0 185.137.18.218:443
2017-05-08 00:20:59,565 INFO Proxy in NL/0 185.137.18.84:80
2017-05-08 00:20:59,565 INFO Proxy in NL/0 185.137.17.90:8181
2017-05-08 00:20:59,565 INFO Proxy in NL/0 185.137.18.102:22
2017-05-08 00:20:59,565 INFO Proxy in NL/7 188.166.53.215:443
2017-05-08 00:20:59,566 INFO Proxy in NL/0 185.137.19.126:80
2017-05-08 00:20:59,566 DEBUG 10 proxies discovered
2017-05-08 00:20:59,566 INFO Pick a proxy from the list above and use these credentials:
2017-05-08 00:20:59,566 INFO Username: $$$$$$
2017-05-08 00:20:59,566 INFO Password: #########
2017-05-08 00:20:59,566 INFO HTTP header Proxy-Authorization: Basic ####$$$$!!!!!!!

in a browsers none off the proxies listed above work directly with ip:port designation - empty response. when using pac.js file the best i've managed to achieve is: "Authentication credentials required" message in browser windows. no proxy basic auth windows appears as it should with common proxy solutions with manual auth. my local proxies with basic auth are working as expected showing an auth window in all the browsers.
tried firefox, ie11, chromium 60. nothing. one time the proxy auth windows appeared in firefox, but after restart it's gone again.
in opera's native mode everything is working though.
i've tried cascading proxy with manual basic auth (ccproxy) - also doesn't work.
any suggestions?

Dont proxy local addresses [pac.js]

For https://github.com/spaze/oprah-proxy/blob/master/pac.js
Sample fixed PAC file

function FindProxyForURL(url, host) {
 
// bypass proxy for local addresses
    if (isPlainHostName(host) ||
        shExpMatch(host, "*.local") ||
        isInNet(dnsResolve(host), "10.0.0.0", "255.0.0.0") ||
        isInNet(dnsResolve(host), "172.16.0.0",  "255.240.0.0") ||
        isInNet(dnsResolve(host), "192.168.0.0",  "255.255.0.0") ||
        isInNet(dnsResolve(host), "127.0.0.0", "255.255.255.0"))
        return "DIRECT";
 
// DEFAULT RULE: All other traffic use this proxy
	return 'HTTPS ca.opera-proxy.net:443';

}

General PAC reference
https://support.mozilla.org/en-US/kb/advanced-panel-settings-in-firefox#w_connection
https://www.websense.com/content/support/library/web/v76/pac_file_best_practices/PAC_best_pract.aspx
https://www.websense.com/content/support/library/web/v76/pac_file_best_practices/PAC_file_sample.aspx
http://findproxyforurl.com/example-pac-file/

PAC validator / parser utilities
https://chentiangemalc.wordpress.com/2013/09/30/pacdbg-custom-proxy-browser-set-proxy-cmd-line-tool/
https://github.com/pacparser/pacparser

How to use a local PAC file instead of cloud hosted file
https://www.cisco.com/c/en/us/td/docs/security/web_security/connector/connector3000/PACAP.html#wp1015209

In-browser PAC editor
https://addons.mozilla.org/en-US/firefox/addon/pac-reloader

Just one country is returned for the discover call

Looks similar to #12, but this time it's just NL:

2017-04-22 02:36:51,412 DEBUG    Call geo_list
2017-04-22 02:36:51,743 DEBUG    "POST /v2/geo_list HTTP/1.1" 200 None
2017-04-22 02:36:51,745 INFO     Supported country: CA Canada
2017-04-22 02:36:51,747 INFO     Supported country: US United States
2017-04-22 02:36:51,747 INFO     Supported country: DE Germany
2017-04-22 02:36:51,748 INFO     Supported country: NL Netherlands
2017-04-22 02:36:51,748 INFO     Supported country: SG Singapore
2017-04-22 02:36:51,749 DEBUG    Geo list fetched
2017-04-22 02:36:51,749 DEBUG    Call discover CA
2017-04-22 02:36:52,067 DEBUG    "POST /v2/discover HTTP/1.1" 200 None
2017-04-22 02:36:52,068 INFO     Your location is CZ/52
2017-04-22 02:36:52,068 INFO     Proxy in NL/0 185.137.19.134:443
2017-04-22 02:36:52,068 INFO     Proxy in NL/0 185.137.18.31:80
2017-04-22 02:36:52,068 INFO     Proxy in NL/0 185.137.18.173:8181
2017-04-22 02:36:52,068 INFO     Proxy in NL/0 185.137.18.126:22
2017-04-22 02:36:52,068 INFO     Proxy in NL/0 185.137.18.120:443
2017-04-22 02:36:52,068 INFO     Proxy in NL/0 185.137.18.119:80
2017-04-22 02:36:52,068 INFO     Proxy in NL/0 185.137.17.50:8181
2017-04-22 02:36:52,068 INFO     Proxy in NL/0 185.137.18.144:22
2017-04-22 02:36:52,068 INFO     Proxy in NL/0 185.137.18.46:443
2017-04-22 02:36:52,068 INFO     Proxy in NL/0 185.137.17.53:80
2017-04-22 02:36:52,069 DEBUG    10 proxies discovered
2017-04-22 02:36:52,069 DEBUG    Call discover US
2017-04-22 02:36:52,407 DEBUG    "POST /v2/discover HTTP/1.1" 200 None
2017-04-22 02:36:52,408 INFO     Your location is CZ/52
2017-04-22 02:36:52,408 INFO     Proxy in NL/0 185.137.18.224:443
2017-04-22 02:36:52,408 INFO     Proxy in NL/0 185.137.17.13:80
2017-04-22 02:36:52,409 INFO     Proxy in NL/0 185.137.19.139:8181
2017-04-22 02:36:52,409 INFO     Proxy in NL/0 185.137.18.80:22
2017-04-22 02:36:52,409 INFO     Proxy in NL/0 185.137.19.238:443
2017-04-22 02:36:52,409 INFO     Proxy in NL/0 185.137.18.120:80
2017-04-22 02:36:52,409 INFO     Proxy in NL/0 185.137.17.40:8181
2017-04-22 02:36:52,409 INFO     Proxy in NL/0 185.137.18.205:22
2017-04-22 02:36:52,409 INFO     Proxy in NL/0 185.137.18.154:443
2017-04-22 02:36:52,409 INFO     Proxy in NL/0 185.137.18.52:80
2017-04-22 02:36:52,409 DEBUG    10 proxies discovered

A little bit confusing instructions?

The PAC file uses hardcoded location (DE), if you want to use other location just download the file, change the hostname (available hostnames are {ca,de,us}.opera-proxy.net), change your browser configuration, and you should be ready to go.

^^^
Just want to clarify it: what does "change your browser configuration" mean?
If I edit pac.js and put US or CA instead of DE, what shall I do next?
Save the edited file locally and point Auto-detect to something like file://..../pac.js ?

Use /v4 API

Opera 45.0.2552.812 has switched to v4 API. That API uses HTTP Digest Authentication instead of SE-... HTTP headers.

POST /v4/register_subscriber HTTP/1.1
Host: api.surfeasy.com
Connection: keep-alive
Content-Length: 128
Accept: application/json
SE-Client-Version: Stable 45.0.2552.812
SE-Operating-System: Windows
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/58.0.3029.81 Safari/537.36 OPR/45.0.2552.812
Accept-Encoding: gzip, deflate, br

HTTP/1.1 401 Unauthorized
Server: nginx/1.12.0
Date: Thu, 18 May 2017 20:32:04 GMT
Content-Type: text/html; charset=utf-8
Transfer-Encoding: chunked
Status: 401 Unauthorized
WWW-Authenticate: Digest realm="ApiDigest", qop="auth", algorithm=SHA-256, nonce="MTQ5NTEzOTUyNDozNDEyMjA0OWY0ZjE4ZDgwZDFjOGI5M2ZiNmUyMzYyMWI4Y2NiYTNiMDEwZTdmNzU0NzY2ZTNjOTA2NmYwYWM2", opaque="a6feff632d495616728c8ef3532064ca457e3d0badcfa2db349a0433dcc4520f"
X-UA-Compatible: IE=Edge,chrome=1
Cache-Control: no-cache
X-Request-Id: 66c73f05d6950077cfd83b58fc9f498e
X-Runtime: 0.009371
X-Rack-Cache: invalidate, pass

POST /v4/register_subscriber HTTP/1.1
Host: api.surfeasy.com
Connection: keep-alive
Content-Length: 128
Authorization: Digest username="se0316", realm="ApiDigest", nonce="MTQ5NTEzOTUyNDozNDEyMjA0OWY0ZjE4ZDgwZDFjOGI5M2ZiNmUyMzYyMWI4Y2NiYTNiMDEwZTdmNzU0NzY2ZTNjOTA2NmYwYWM2", uri="/v4/register_subscriber", algorithm=SHA-256, response="ff7f495b6dd7c0b53119f3f92e6f3dbb7607d6a4d0441ec77359437e8b958ee2", opaque="a6feff632d495616728c8ef3532064ca457e3d0badcfa2db349a0433dcc4520f", qop=auth, nc=00000001, cnonce="d186e18e5c7172fa"
Accept: application/json
SE-Client-Version: Stable 45.0.2552.812
SE-Operating-System: Windows
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/58.0.3029.81 Safari/537.36 OPR/45.0.2552.812
Accept-Encoding: gzip, deflate, br

To calculate correct response the password is needed, according to RFC 7616:

3.4.2.  A1
   If the algorithm parameter's value is "<algorithm>", e.g., "SHA-256",
   then A1 is:
         A1       = unq(username) ":" unq(realm) ":" passwd
   where
         passwd   = < user's password >

client_type and client_type

In the usage

oprahProxy.py <client_type> <client_key>

what are these client_type and client_key stand for? Can you add bit more detail on how to obtain those or what are valid client_type?

The script stopped working

The api responds with this error:

{'data': {}, 'return_code': {'19': 'Invalid client.'}}

Wrong device_hash, client_type and api_key combination

Combination of device_hash, client_type and api_key doesn't seem to be working

Feature request: Automatically find the lowest latency

Hi,

It'd be super nice if the script could automatically do a couple pings to each server and automatically find the closest server.

Cheers :)

Two ways to use this proxy in Python

After got the secret sauce:

basic_auth, proxy, port = get_proxy()

I find that one low-level way to use it is:

req = 'GET {url} HTTP/1.0\nProxy-Authorization: BASIC {basic_auth}\n\n'.format(
    url='http://httpbin.org/ip', basic_auth=basic_auth)
sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
sock = ssl.wrap_socket(sock)
sock.connect((proxy, port))
sock.send(req.encode('ascii'))
print(sock.recv(1024))
sock.close()

Another method needs an ugly monkey patch of HTTPSConnection to avoid SNI error:

class PatchedContext:

    def __init__(self, conn):
        conn._check_hostname = False
        conn._context.check_hostname = False
        self.ctx = conn._context

    def __getattr__(self, attr):
        if attr == 'wrap_socket':
            return lambda sock, server_hostname: self.ctx.wrap_socket(sock)
        return getattr(self.ctx, attr)

conn = http.client.HTTPSConnection(proxy, port)
conn._context = PatchedContext(conn)
conn.request("GET", "http://httpbin.org/ip",
             headers={"Proxy-Authorization": "BASIC "+basic_auth})
print(conn.getresponse().read())